|ESTUDIO COLECTIVO DE DESPROTECCIONES|
|WKT Tutorialz Site|
|Program||Ulead PhotoImpact v4.12||W95 / W98 / NT|
|Protections||Trial / Nag|
|Level||1) Beginner, 2) Intermediate, 3) Advanced, 4) Profesional, 5) Expert|
|Tools||SoftIce v3.25, W32dasm v8.9, UltraEdit v6.10a|
|Target||How to Avoid NagScreen and 30 day time limit|
|This is a very good program to manipulate your Image files. With some cool features. Try it!|
Well, with this tutorial you will learn how to avoid a Nag Screen in an easy way, and how to remove time limit. The Protection is inside U32cfg.dll
This tutorial was originally written in Spanish and this translation could be some shit.
So, sorry for my English ;o)
|Here we go!|
Start the program and you'll notice it's a 30 day Trial scheme, without any disabled options. |
It also have an ugly nag screen "dialogboxparama".
First of all, we are gonna kill that ugly nag screen. So, we set the first Breakpoint in our beloved SoftIce. Write "BPX dialogboxparama", press F11 and then press "Try More!" button.
We'll land here:
* Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB066CD FF15F4A3B14E Call dword ptr [4EB1A3F4] :4EB066D3 898590FDFFFF mov dword ptr [ebp+FFFFFD90], eax * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB066A2(C), :4EB066AB(C) | * Possible Reference to Dialog: DialogID_0001 | :4EB066D9 B801000000 mov eax, 00000001 :4EB066DE E935010000 jmp 4EB06818
To avoid the Nag Screen just change:
:4EB066CD FF15F4A3B14E Call dword ptr [4EB1A3F4] To :4EB066CD 909090909090
|Now, the 30 days time Limit. :o)|
So set your system clock at least 30 days ahead. Now start Photo Impact. |
It will display another ugly dialog box.
Oh!, what a surprise!!! It's another "dialogboxparama" !!!
Welcome back to SoftIce and we set the second Breakpoint (or just enable the first one again) "BPX dialogboxparama". Now look where we are ;o)
* Reference To: USER32.GetActiveWindow, Ord:00D5h | :4EB0671F FF15C0A3B14E Call dword ptr [4EB1A3C0] :4EB06725 50 push eax * Possible Reference to Dialog: DialogID_0066 | :4EB06726 6A66 push 00000066 :4EB06728 8B0D0C47B24E mov ecx, dword ptr [4EB2470C] :4EB0672E 51 push ecx * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :4EB0672F FF15F4A3B14E Call dword ptr [4EB1A3F4] :4EB06735 89858CFDFFFF mov dword ptr [ebp+FFFFFD8C], eax :4EB0673B 83BD8CFDFFFF2A cmp dword ptr [ebp+FFFFFD8C], 0000002A :4EB06742 751D jne 4EB06761
If you compare this code snippet with the last one, you'll notice that in first code snippet there were just the following instructions more:
:4EB066D9 B801000000 mov eax, 00000001 <-- Ummm, Interesting! :4EB066DE E935010000 jmp 4EB06818In first code snippet, EAX is assigned the value 1. Then there's a JMP to :4EB06818
In second code snippet (Trial period expired), [ebp+FFFFFD8C] is compared to 2A and, if they are not equal it will jump to :4EB06761
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:4EB06716(C), :4EB06742(C) | :4EB06761 33C0 xor eax, eax <-- Bad idea! :4EB06763 E9B0000000 jmp 4EB06818
So, we have to assign the value 1 to EAX and also it should jump to :4EB06818
Open the file u32cfg.dll with your favourite hex editor (ultraedit for example) and modify the following bytes:
:4EB0672F FF15F4A3B14E Call dword ptr [4EB1A3F4] :4EB06735 89858CFDFFFF mov dword ptr [ebp+FFFFFD8C], eax We search "FF15F4A3B14E89858CFD" and we change it to: "B801000000E9B0000000" So, we'll have this: :4EB0672F B801000000 mov eax, 00000001 :4EB06735 E9B0000000 jmp 4EB06818
Voilá! It's done.
Do I really have to remind you the purpose of this cracking tutorial?
NOTE FOR THE READER:
This essay could contain mistakes (maybe the author skipped some steps, maybe wrong memory addresses....etc) . The purpose is you could learn to "think like a cracker".
Good Luck! ;o)
*ħħ========-*-*-*-* P E R S O N A L G R E E T Z *-*-*-*-========ħħ* Dasavant, Niabi, r00ster, ZEncrakz, Azrael, Klimpong, Zor Conde-Vampiro, Mac-Crack, Killer_P, ASTAGA, Harvestr, Iczelion JosephCo, Carpathia, Taylor, Tapu, Ivanopulo, EgoistE, Torn@do, JUANDA, Leoworld, ReKiem, Neural_N, Netking, Russ97, Mr.Pink and of course all WKT Members ;o) *------------------* |WHISKEY KON TEKILA| |Mr.WhiTe [WkT!99] | |http://wkt.tsx.org| |http://ecd.tsx.org| *------------------*